uas: Bounds check tags when using streams

Disallow the guest to cause us to address the data3 and status3 arrays out of bounds. Signed-off-by: N Hans de Goede <hdegoede@redhat.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

uas: Bounds check tags when using streams
Disallow the guest to cause us to address the data3 and status3 arrays out of bounds. Signed-off-by: N Hans de Goede <hdegoede@redhat.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
3453f9a0 · Hans de Goede · Gerd Hoffmann · 0478661e · 3453f9a0
隐藏空白更改
内联并排

Showing with 14 addition and 0 deletion

hw/usb/dev-uas.c hw/usb/dev-uas.c +14 -0

未找到文件。
--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
@@ -692,6 +692,9 @@ static void usb_uas_command(UASDevice *uas, uas_ui *ui)
    uint32_t len;
    uint16_t tag = be16_to_cpu(ui->hdr.tag);

+    if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) {
+        goto invalid_tag;
+    }
    req = usb_uas_find_request(uas, tag);
    if (req) {
        goto overlapped_tag;
@@ -724,6 +727,10 @@ static void usb_uas_command(UASDevice *uas, uas_ui *ui)
    }
    return;

+invalid_tag:
+    usb_uas_queue_fake_sense(uas, tag, sense_code_INVALID_TAG);
+    return;
+
 overlapped_tag:
    usb_uas_queue_fake_sense(uas, tag, sense_code_OVERLAPPED_COMMANDS);
    return;
@@ -742,6 +749,9 @@ static void usb_uas_task(UASDevice *uas, uas_ui *ui)
    UASRequest *req;
    uint16_t task_tag;

+    if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) {
+        goto invalid_tag;
+    }
    req = usb_uas_find_request(uas, be16_to_cpu(ui->hdr.tag));
    if (req) {
        goto overlapped_tag;
@@ -774,6 +784,10 @@ static void usb_uas_task(UASDevice *uas, uas_ui *ui)
    }
    return;

+invalid_tag:
+    usb_uas_queue_response(uas, tag, UAS_RC_INVALID_INFO_UNIT, 0);
+    return;
+
 overlapped_tag:
    usb_uas_queue_response(uas, req->tag, UAS_RC_OVERLAPPED_TAG, 0);
    return;